Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: 401's in acess log after authentication with mod_authnz_sspi |
|
| Author |
|
Brian
Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA
|
 Posted: Thu 30 Oct '14 18:48 Post subject: 401's in acess log after authentication with mod_authnz_sspi |
 |
|
I haven't worked with Apache HTTPD for a very long time. How long? Last time I deployed Apache was in the 2.0 days. I recently deployed the 2.4 binaries from AL, added to that from another source mod_authnz_sspi with success.
The HTTPD server has no vhosts, it is only fronting for Tomcat through the jk_module. So authentication for the apps that require it goes through SSPI which is set to require members of a speicfic domain security group. Again, this all works - access is granted with succesful authentication.
The strange thing is in the access.log, with each hit to the resource (e.g. /Location or /Directory) I see a two or more 401's followed by the normal 200, 302 and 304 status codes. When I saw the 401's I thoguht that was wierd because post-authentication access is unincumbered.
Any one have thoughts as to why after successful authentication I'd be seeing 401's?
Here are a couple of snippets from the access log showing the results:
I've been prompted for NT credentials, I enter them and am able to proceed. I see 401's though after authentcation has occured:
| Code: | 10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/status/all HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status?org.apache.catalina.filters.CSRF_NONCE=3ED491F8BA451A3B34DF716FA833DFD9" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/status/all HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status?org.apache.catalina.filters.CSRF_NONCE=3ED491F8BA451A3B34DF716FA833DFD9" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/status/all HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status?org.apache.catalina.filters.CSRF_NONCE=3ED491F8BA451A3B34DF716FA833DFD9" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/status/all HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status?org.apache.catalina.filters.CSRF_NONCE=3ED491F8BA451A3B34DF716FA833DFD9" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" |
The page loads, but again with 401's mixed in:
| Code: | 10.10.10.10 - my_username [30/Oct/2014:08:58:32 -0700] "GET /manager/status/all HTTP/1.1" 200 17368 "http://server-instance.some-domain.gov/manager/status?org.apache.catalina.filters.CSRF_NONCE=3ED491F8BA451A3B34DF716FA833DFD9" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - my_username [30/Oct/2014:08:58:32 -0700] "GET /manager/status/all HTTP/1.1" 200 17368 "http://server-instance.some-domain.gov/manager/status?org.apache.catalina.filters.CSRF_NONCE=3ED491F8BA451A3B34DF716FA833DFD9" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - my_username [30/Oct/2014:08:58:32 -0700] "GET /manager/images/asf-logo.gif HTTP/1.1" 304 - "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - my_username [30/Oct/2014:08:58:32 -0700] "GET /manager/images/asf-logo.gif HTTP/1.1" 304 - "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/images/tomcat.gif HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/images/tomcat.gif HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/images/tomcat.gif HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - - [30/Oct/2014:08:58:32 -0700] "GET /manager/images/tomcat.gif HTTP/1.1" 401 381 "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - my_username [30/Oct/2014:08:58:32 -0700] "GET /manager/images/tomcat.gif HTTP/1.1" 304 - "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
10.10.10.10 - my_username [30/Oct/2014:08:58:32 -0700] "GET /manager/images/tomcat.gif HTTP/1.1" 304 - "http://server-instance.some-domain.gov/manager/status/all" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
|
Log format is:
| Code: | | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common |
Since my log format includes the %l field, I see that wehre it is blank I am getting 401's in my access log.
Any thoughts on what I either doing wrong or still need to do? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
|
|
|
|
|
